‘Bounty Hunter’ Earns Record Payout, and Job, from Facebook

Reginaldo Silva earned a record payout from Facebook for finding a security flaw

Reginaldo Silva

Reginaldo Silva was poring over computer code in November when the one-time software engineer found what he thought was a security loophole on Facebook’s servers. The discovery led to the largest “bug bounty” ever paid by the company, and a job for Silva as an engineer at Facebook.

Silva earned $33,500 for notifying Facebook of the flaw, which he said could have allowed a hacker to enter Facebook’s servers and execute code. In a worst-case scenario, the breach could have allowed the hacker to access Facebook accounts or even spread a computer virus to members. A Facebook spokesman said any manipulation of its servers would have been quickly identified and stopped by the company.

Facebook employs hundreds of engineers who ferret out loopholes and bugs, but like many companies offers rewards to “white hat” hackers who find undetected chinks in the digital armor.

“They’ve found things we wouldn’t have found,” says Alex Rice, head of product security at Facebook. “The bounty program has by far been the best tool we have for identifying bugs that make it out into the wild.”

A Facebook panel initially awarded Silva $26,500, which would have been the highest amount ever paid by the company. Silva, though, went back to Facebook, pointing out that the flaw was more serious than the company realized. Facebook’s engineers agreed and the company increased the payout, Silva says.

Once Facebook fixed the flaw, Silva described the problem on his blog. Since then, the 27-year-old, who lives in Sao Jose dos Campos, Brazil, has become a minor celebrity in the world of bug bounty hunters. He says he’s been offered a number of full-time jobs, and recently accepted one working for Facebook’s product security team, where he’ll be writing code, reviewing software for bugs and working with outsiders as part of the bug bounty program.

Silva says he caught dozens of bugs after he started hunting for them full-time in 2012 — Google ranks him fifth on its list of “best bug reporters.”

He had competition, though. Last year, Facebook received 14,736 submissions from bounty hunters around the world, more than double the previous year. Facebook paid cash rewards for roughly a third of the submissions. A panel of eight to 15 Facebook engineers vote on the reward amount that should be paid for each bug.

Facebook paid a total of $1.5 million in 2013 to 330 people in 2013 for discovering bugs, most of which involved what Facebook calls “non-core properties,” such as companies that it has acquired. The program has helped reduce the number of bugs in its system. “We’re hearing from researchers that it’s tougher to find good bugs,” Facebook security engineer Collin Greene wrote in a blog post on the company’s site Thursday.

While Silva makes a living searching for bugs, he’s says he’s no millionaire — he still hasn’t sprung for World Cup tickets in Brazil this year.